They admit it was either a misread of data or data somehow changed after assessment.

Share this story

Researchers who claimed they found a link between the Internet addresses used as part of malware that attacked Freedom Hosting's "hidden service" websites last week and the National Security Agency (NSA) have backed off substantially from their original assertions. After the findings were criticized by others who analyzed Domain Name System (DNS) and American Registry for Internet Numbers (ARIN) data associated with the addresses in question, Baneki Privacy Labs and Cryptocloud admitted that analysis of the ownership of the IP addresses was flawed. However, they believe the data that they used to make the connection between the address and the NSA may have changed between their first observation.

"We know that those ARIN records that appeared to show the torsploit IP addresses (65.222.202.53 and 65.222.202.54) as being directly allocated to [defense contractor] SAIC are inaccurate," the researchers said in a joint post to Cryptocloud's discussion forum. "Or, rather, the popular analytics resource domaintools.com uses an old (ca. 1993) method for interpolating individual IP ownership ('assignment' is a better term, really, but it's a bit clunky). That old method, all evidence suggests, doesn't give accurate information about the two torsploit IPs in question." They added the qualification that "perhaps the SAIC connection was genuine and it's been cleverly 'scrubbed' on the fly. If so, we lack the analytic capabilities to ferret it out and it'll have to be someone other than us to catch the snowflakes and, from them, reconstruct the storm."

As for the attribution of the IP address to the NSA, the researchers reviewing data from Robtex early August 5 on the address block had the same conclusions. "All of us agreed... the block of IPs covering 65.192.0.0/11 to 65.222.202.53 'rolled up' directly to nsa.gov... at least according to robtex." That assessment isn't supported by current data in Robtex.

This, the researchers said, means one of two things. The first possibility, the researchers admit, is that "we simply read the robtex report wrong early Monday morning—all of us." The second is that the data somehow changed between early Monday morning and noon, when Wired's Kevin Poulson and others started looking at the data and questioning the researchers' assessments.

Lacking a screenshot or any other physical evidence of the latter, the first option is most likely. And even if the initial SAIC address correlation was correct, the connection to the NSA is still highly questionable. SAIC does work for many federal agencies—including the FBI, to which the company provides a broad range of "cybersecurity products and services" under the $30 billion, eight-year Information Technology Supplies and Support Services (ITSSS) contract awarded to SAIC and a collection of other IT companies in 2010. Ars has previously reported on the FBI's efforts to use malware in its investigations, like the warrant request denied in March of this year to install remote administration tool malware on the computer of a suspect.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat